Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7.
Published: 2025-09-09
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary client‑side scripts into pages rendered by the Blog Designer PRO plugin. By supplying malicious input that is not properly escaped, the attacker can execute JavaScript in the browser of any user who views the affected page. This can compromise user sessions, deface content, or deliver additional malware. The weakness corresponds to CWE‑79.

Affected Systems

WordPress sites that have the solwin Blog Designer PRO plugin version 3.4.7 or earlier installed. The issue affects all releases from the earliest available pre‑3.4.8 up to and including 3.4.7.

Risk and Exploitability

With a CVSS score of 7.1, the flaw is considered high severity. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is web‑based, requiring an attacker to craft a URL or form input that contains malicious code, which, when viewed by a victim, will be reflected and executed in their browser. Successful exploitation does not require authentication because the injection point is in a public page, but authenticated users are particularly at risk if the reflected content is accessed by them.

Generated by OpenCVE AI on April 30, 2026 at 07:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Blog Designer PRO plugin to version 3.4.8 or later, which contains the necessary input sanitization fix.
  • Implement a strict content security policy that disallows inline scripts and only permits scripts from trusted sources, thereby limiting the impact of any residual XSS code.
  • Review and harden any custom code or additional input fields that interact with the plugin to ensure data is properly escaped or validated before rendering.

Generated by OpenCVE AI on April 30, 2026 at 07:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27437 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO. This issue affects Blog Designer PRO: from n/a through 3.4.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO. This issue affects Blog Designer PRO: from n/a through 3.4.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO blog-designer-pro.This issue affects Blog Designer PRO: from n/a through <= 3.4.7.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in solwin Blog Designer PRO. This issue affects Blog Designer PRO: from n/a through 3.4.7.
Title WordPress Blog Designer PRO plugin <= 3.4.7 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:50.221Z

Reserved: 2025-05-07T10:45:47.046Z

Link: CVE-2025-47694

cve-icon Vulnrichment

Updated: 2025-09-09T17:50:34.868Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:15:46.863

Modified: 2026-04-23T15:30:45.620

Link: CVE-2025-47694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:15:31Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')